IT Security Incident/News

SMU Phishing Exercise 2016 - Results

The phishing exercise was conducted by IITS in Oct and Nov 2016, involving over 12,000 staffs and students. A total of 13.49% of our Faculty/Staffs and 28.30% of students fall prey to this phishing test.

Content Of The Phishing Email

Tips On How To Identify A Phishing Email

Ransomware

What is a Ransomware - a type of malicious software designed to block access to a computer system until a sum of money is paid. It block by encrypt files.

One of the most common ransomware is CryptoLocker

The most recent is Locky ransomware (Sample Email)

Ransomware has become increasingly complex and advanced over time – making prevention and protection more challenging Ransomware can enter a PC through many vectors; including via email spam, phishing attacks, or malicious web downloads. Like other high sophisticated threats, organizations are recommended to employ multiple layers of protection on the endpoint, gateway and mail servers for the highest level of protection against ransomware.

Ransomware has become increasingly complex and advanced over time – making prevention and protection more challenging Ransomware can enter a PC through many vectors; including via email spam, phishing attacks, or malicious web downloads. Like other high sophisticated threats, organizations are recommended to employ multiple layers of protection on the endpoint, gateway and mail servers for the highest level of protection against ransomware.

Ransomware has become increasingly complex and advanced over time – making prevention and protection more challenging Ransomware can enter a PC through many vectors; including via email spam, phishing attacks, or malicious web downloads. Like other high sophisticated threats, organizations are recommended to employ multiple layers of protection on the endpoint, gateway and mail servers for the highest level of protection against ransomware.

Exercise good email and website safety practices – downloading attachments, clicking URLs or executing programs only from trusted sources. Always check who the email sender is. If the email is supposedly coming from a bank, verify with your bank if the received message is legitimate. If from a personal contact, confirm if they sent the message.

Refrain from clicking links in email. In general, clicking on links in email should be avoided. It is safer to visit any site mentioned in email directly. If you have to click on a link in email, make sure your browser uses web reputation to check the link.

Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task.

Backup important data. Unfortunately, there is no known tool to decrypt the files encrypted by a ransomware. A safe computing practice is to ensure you have back-ups of your files. The 3-2-1 principle should be in play: three copies, two different media, one separate location.

Encourage users to alert IT Security team or Help Centre of potentially suspicious emails and files

Apple IDs Compromised - iPhones or iPads held for ransom

Recently, some users in Australia, New Zealand, Canada and US have had their Apple IDs compromised. As a result, affected users had their Apple iPhones or iPads being remotely locked and held for ransom. Users received the following screen on their locked devices.

Once the Apple ID is compromised, the perpetrator can access the Find My iPhone feature in iCloud, turn on the Lost Mode feature, lock the device and display a ransom message.

While it remains clear how the Apple IDs were compromised, there are some good security practices to follow to prevent the above from happening.

Set a passcode on your phone or tablet. If you had set a passcode on your device, then you can unlock your device by entering your passcode. If you did not set a passcode, then the perpetrator is required to set a passcode when enabling the Lost Mode feature. Unless you know the passcode, your device will remain locked and you will have to call Apple support for assistance.

Set up two step verification for your Apple ID. This will make it much harder for an attacker to access your Apple ID account to make changes or purchases. In essence, besides entering your Apple ID and password, you will have to enter a verification code sent to you before you can access to your Apple account.

New Android Malware Blocks Phone Calls

Are you running "Android" operating system on you mobile phones? Are you aware of the new android malware threats that can intercepts phone calls?

Security researchers found six variants of a new Android threat that intercepts and then disconnects phone calls before they reach the recipient. Details of the research source from http://www.cruxialcio.com/

Cybercriminals' pursuit of profit is readily apparent in the vast majority of mobile malware, but occasionally security researchers stumble across a baffling feature.

Such is the case with researchers at FireEye who found six variants of a new Android threat that intercepts and then disconnects phone calls before they reach the recipient. Why it does that remains a mystery. After the malware is installed, it creates a database on themobile phone and downloads from a command and control server the phone numbers it will block.

The interception occurs before the phone rings and prior to the number being listed in the missed calls list. The same steps are followed when a text message is sent to one of the numbers. The message is intercepted and sent to the command-and-control server unbeknownst to the phone's user.

What to Do:Avoid mobile malware by restricting the downloading of apps to trusted online marketplaces.

The CnC server was taken down before FireEye could use the malware to download numbers, so the security vendor can't guess as to why they were being blocked.

"We don't know what the actual numbers are or who they belong to," FireEye security researcher Hitesh Dharmdasani, told CruxialCIO. Researchers do know that the app is disguised as Android security software that the creators advertise as an operating system update.

The app, which appears to originate from Korea, is available on third-party online stores, not the official Google Play store. Third-party app stores are popular in Asia, Eastern Europe and Russia. Because the sites are not policed for malware, cybercriminals will often embed their malicious code in counterfeits of popular apps.

"If your device has the capability to download apps from third-party marketplaces, it's pretty dangerous," Dharmdasani said. "If you stick to the Google Play store, then you should not be very concerned." Google continuously scans its store for malware, so the chance of downloading such apps is extremely low.

"FireEye discovers puzzling Android malware on 10th anniversary of the first mobile malware."

This year marks the 10th anniversary of the discovery of the first mobile malware, which was called Cabir. Designed for the Nokia Series 60 phone, Cabir spread itself over Bluetooth and would display on the screen the word "Caribe." Researchers believe the relatively benign app was a proof of concept by a hacker group called 29A, according to an anniversary report released Tuesday by Fortinet.

Since then, malware has evolved to where the most common threat is having an app secretly send text messages to a paid service. The charges eventually appear on the users' wireless bill. Also, adware in apps have become increasingly more aggressive in taking a users' personal information and sending it to advertisers.

Among the most powerful malware to date is called DroidKungFu, which emerged in 2011 and is capable of commandeering a phone and then taking instructions from a CnC server. Last year marked the debut of the first ransomware for Android mobile phones. Like its PC counterparts, the malware locks the device and refuses to release it unless a fee is paid.

In general, malware is much less of a problem on iPhones because apps are vetted and only made availablethrough Apple's App Store. Nevertheless, the risk of having a smartphone infected with malware is extremely low. A study conducted last year by Georgia Institute of Technology and security vendor Damballa found fewer than 3,500 phones infected with malware out of more than 380 million devices for an infection rate of 0.0009 percent.

Compromised Customer Database at Adobe Systems Inc

Adobe has announced that some of their customer information stored in a database has been compromised. The information that may have been compromised includes names, user identification, numbers, encrypted passwords and payment card numbers. As a precaution, Adobe has reset passwords for all users whose current login information was in the database that was taken by the attackers.

You will receive an email notification from Adobe with information on how to change your password. They will only notify customers whose Adobe ID and password were involved, and that process is already underway.

As a precaution, we strongly recommend that you change your password on all systems especially SMU systems that you have access to where you may have used the same user ID and password as your Adobe ID and password.

Protect yourself against non-legitimate email "phishing" attempts: If you received an email requesting you to change your password, and you're concerned whether it is legitimate, don't click any links in the email. Instead, type www.adobe.com/go/passwordreset into your browser to be sure. How to recognize phishing attempts.

Cyber experts uncover 2 million stolen passwords to Web accounts

(Reuters) - Security experts have uncovered a trove of some 2 million stolen passwords to websites including Facebook, Google, Twitter and Yahoo from Internet users across the globe.

Researchers with Trustwave's SpiderLabs said they discovered the credentials while investigating a server in the Netherlands that cyber criminals use to control a massive network of compromised computers known as the "Pony botnet."

The company told Reuters on Wednesday that it has reported its findings to the largest of more than 90,000 websites and Internet service providers whose customers' credentials it had found on the server.

The data includes more than 326,000 Facebook Inc accounts, some 60,000 Google Inc accounts, more than 59,000 Yahoo Inc accounts and nearly 22,000 Twitter Inc accounts, according to SpiderLabs. Victims' were from the United States, Germany, Singapore and Thailand, among other countries.

Representatives for Facebook and Twitter said the companies have reset the passwords of affected users. A Google spokeswoman declined comment. Yahoo representatives could not be reached.

SpiderLabs said it has contacted authorities in the Netherlands and asked them to take down the Pony botnet server.

An analysis posted on the SpiderLabs blog showed that the most-common password in the set was "123456," which was used in nearly 16,000 accounts. Other commonly used credentials included "password," "admin," "123" and "1." (bit.ly/1g6hfJZ)

Useful Tips

One method of choosing a strong password

Think of a phrase. Select the first letter of each word in the phrase

Have both upper and lower case alphabets

Some letters can be changed to numbers. Examples “5” for “S”, “7” for “L”, “3” for “E”, “0” (zero) for “O”

Some letters can be changed to symbols. Examples “@” for “a”,”!” for “I” or “l”

Do you pay attention if you’re accessing genuine website? Can you guess the real MOM website below?

Figure 1

Figure 2

Figure 3

Figure 4

Have you noticed the differences? I hope you identified the correct MOM official site...

Just remember SAM. SAM stands for Source Always Matter. We should always check the source to ensure we are clicking on genuine links, as perpetrators will try to lure you to malicious sites by hiding the source. So don’t be tricked. Think of SAM.

Figure 2 and Figure 4 are MOM genuine web pages, here's the details of the incident of the MOM fake website. (source http://www.insing.com/)

The Ministry Of Manpower (MOM) has cautioned the public against fake websites online which have been duplicating the official MOM website (www.mom.gov.sg).

The ministry made the announcement on Facebookon Thursday, 29 December, adding that the public should only use mom.gov.sg for all relevant matters.

The first duplicate website, www.momgov.sg was discovered last Thursday, 28 November, and a police report was made the following day. The site was deleted close to midnight on Friday.

Another duplicate site, www.movgov.sg was found on Saturday and the website was deleted after another police report was made.

The two duplicate websites had followed the layout, colour scheme and images of the official MOM website.

Internet users who visited the duplicate sites were greeted with pop-up pages of spam advertising.

The ministry posted an update on their Facebook page on the morning of 1 December 2013, telling the public that the websites were deleted but "it will take about 48 hours for servers worldwide to effect the deletion. This means that some of you may still be able to view the website till then.”

The fake websites are inaccessible as of Monday morning.

“We would like to caution everyone that a small variation in the URL (in these cases, a full-stop or a misspelling) can make a whole world of difference,” wrote the administrators on the Facebook page.

He wrote: “Some feel it is a game and cheer on such activities. It is not. It disrupts all our lives and if substantive sites are really compromised, consequences aren't always trivial.”

Tan also warned the public against these sites and the disruptions they may potentially bring.

“Phishing sites are criminal because they try to fool you into giving your data. Serious hacking that entail stealing of information and disruption of systems is dangerous and something we must defend against,” wrote Tan.

The operation is known as “#Nov5th”, is touted to be a global movement to celebrate Guy Fawkes Day/Night, an affiliation with the iconic masks worn by Anonymous members as a means of identification for the group, with a mass rally to remind the world ‘That fairness, justice and freedom are more than just words’.

Deviating from their usual modus operandi of underground communications channels for operations, this ‘event’ is planned through mainstream social media channels like Facebook, Twitters, Wordpress blogs.

Facebook pages relating to this event has been created, thus we have some ground to believe some form of cyber aggression may take place on the 5th of November.

We are anticipating some form of cyber-skirmish on government agencies globally, or government linked entities, of possibly denial of service attacks or attempts to breach your network. It would also be prudent to be on heightened alert for attacks on any other private sectors.

Their main target would presumptuously be attempts to breach and deface publicly available resource and/or obtaining personal identifiable information (PII).

GCC has categorized this security alert as high risk priority and we will

(1) Be on heightened alert on any suspicious network incidents triggered for this period.

Ensure all your software are updated to the latest version as the attackers tend to exploit any kinds of vulnerabilities found within your site to achieve the defacement purpose.

Be on high alert for any unusual activities on your computer and your network.

Facebook 'stalker' tool

Not only must we be careful with our personal information posted on social media networks. Now we and our friends on social media networks have to be careful with what we post about others, and what others post about us. All that information available can be mined to understand the target: You.